TX: MedSpring Urgent Care notifies 13,000 patients after phishing attack

As Protenus’s Q-2 report for health data breaches in the U.S. indicates, phishing continues to account for a significant percentage of reported breaches.  Here’s another phishing incident recently disclosed to HHS that will be in Protenus’s Q-3 report as affecting 13,034 patients:

July 20, 2018

At MedSpring Urgent Care (MedSpring), we take the privacy and security of our patients’ information seriously. We are providing the following information in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and applicable state law to explain that a third party may have had unauthorized access to personal information about certain patients who were treated at our facilities located in Illinois.

On May 8, 2018, an employee was the victim of an email phishing scam that we learned on May 17, 2018 may have resulted in unauthorized access to the employee’s email account. Email “phishing” scams involve an attempt by an unauthorized individual to obtain sensitive information, such as usernames and passwords, by disguising as a trustworthy entity.  Promptly after discovering the attack, MedSpring blocked the unauthorized party’s access to the email account and hired a leading cybersecurity forensics firm specializing in the investigation and resolution of cyberattacks to investigate the attack and determine what information may have been accessed by the unauthorized party.

On May 22, 2018, MedSpring discovered that the unauthorized party may have been able to access individuals’ personal information contained in the compromised email account and launched a thorough review of those emails. As a result of that review, we recently learned that information in that compromised email account may have included certain patients’ names, account numbers, medical record numbers, and dates and services relating to the provision of medical services.

At this time, we are not aware of any unauthorized viewing or misuse of our patients’ information. We are sending notification letters to all potentially affected individuals for whom MedSpring has up-to-date contact information. If you were treated at one of our Illinois facilities and do not receive a letter from us, you may call (866) 751-1317 toll free to determine whether your information was identified as being involved.  We have arranged to provide 12 months of identity protection and fraud resolution services through Experian to all individuals whose information was contained in the compromised email account.

Any individuals who receive a notification letter from MedSpring or who might otherwise be concerned about identity theft are encouraged to regularly review statements from their accounts and to periodically obtain their credit report from one or more of the national credit reporting companies. Individuals may obtain a copy of their credit report once every 12 months by either visiting http://www.annualcreditreport.com, calling toll free at 1-877-322-8228, or completing an Annual Credit Report Request Form (found at https://www.consumer.ftc.gov/articles/0155-free-credit-reports) and mailing it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. For questions about identity theft, credit monitoring, and how to keep information secure, patients can visit this website: http://www.consumer.ftc.gov/topics/identity-theft.

We take the protection of our patients’ information very seriously and have taken steps to prevent a similar incident from occurring in the future, including the implementation of additional technological security features designed to prevent future phishing scams.

Any individuals who receive a notification letter from MedSpring or who were treated at one of our Illinois facilities may call (866) 751-1317 toll free with questions.

About the author: Dissent

Comments are closed.